Administering user accounts

Security profiles

A security profile is a set of pre-configured values for parameters that control the security behavior of your system, such as how long passwords last, or what privileges are assigned to users. Once you choose a profile, you can switch to another profile, or change any one of the dozens of parameters on an individual basis.

System security profiles

    Security profiles
Security parameters Low Traditional Improved High
Minimum weeks between changes 0 0 0 2
Expiration warning (weeks) - - 1 6
Lifetime (weeks) infinite infinite 24 12
Minimum length 1 3 6 8
Password required to login no yes yes yes
Maximum unsuccessful attempts before delay is started 99 99 5 3
Delay between attempts (secs) 0 10 20 20
Time to complete login (secs) 300 60 60 60
Weeks an account can be idle infinite infinite 50 50
Logging threshold for failures infinite infinite 5 1
Services disabled none none tftp mountd ypupdated rusersd walld sprayd tftp finger systat netstat shell login exec ftp telnet mountd ypupdated ruserd walld sprayd
Audit (if configured)
Action if audit write error disable disable shutdown shutdown
Action if audit log is full disable disable disable switch
Events audited id_auth priv process id_auth
priv process cov_chan
priv process device cov_chan audit
priv process device cov_chan audit file_access io_cntl printer sched
root login on console only no no yes yes
Console <Ctrl><Alt><Del> allowed no no no no
su(1) use logged no no yes yes
Default umask[1] 022 022 027 077
UIDs reusable[2] yes yes yes yes
Users can schedule jobs allow allow deny deny
Home directory permissions 755 755 750 700
Restricted chown(1)[3] no no yes yes
Remote printing access allowed yes yes no no

  1. These are located in /etc/profile and /etc/cshrc. A umask of 077 results in the creation of files that are readable only by the owner.

  2. Deleted UIDs are reserved for 12 months to prevent assignment to a new user - See ``Limiting reuse of UIDs''.

  3. For BSD/FIPS compatibility, use of the chown(1) function is restricted so that users cannot change file ownership.

Next topic: Understanding account database files
Previous topic: Changing the system security profile

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004